With the Indian pharmaceutical industry reaching out to the US market, it is imperative that these companies need to adapt to the regulatory landscape in the country. HIPAA (Health Insurance Portability and Accountability Act) has major impact on how the pharmaceutical industry conducts business in US.

As consumers increasingly use Internet for healthcare related services - and eHealth becomes more popular - building and retaining the eCustomer base becomes crucial for the success of pharmaceutical companies targeting this market segment. A key to building successful eRelationships is the quality of information obtained from the customer. For example, given the constant relocation of people within the country, keeping track of postal address can be a major challenge and a simple eMail can be one of the most cost-effective ways of staying in touch with customers.

Recently pharmaceutical major Eli Lilly blamed a programming error for an incident in which it accidentally disclosed the eMail addresses of about 600 medical patients, who had registered to get messages reminding them to take the antidepressant drug Prozac, or to attend to other health-related matters. In the backdrop of such incidents, consumer rights and HIPAA regulations, pharmaceutical companies may have to redesign marketing strategies such as their direct-to-consumer marketing.

As required by Congress in HIPAA, the Privacy Rule covers health plans, healthcare clearing-houses, and those health care providers who conduct financial and administrative transactions electronically. Pharmaceutical firms do not fall under the definition of covered entities, as they do not engage in standard healthcare related transactions of treatment, payment or healthcare operations. The basic rule under HIPAA is that protected health information may not be used or disclosed without authorization from the patient. There are exceptions for which authorization is not required, however, including instances where disclosure is mandated by another law, advances a public health purpose, or is to be used in law enforcement or judicial proceedings.

Some of the provisions of the HIPAA Privacy rule, which could impact pharmaceutical industry, are the following:

De-identification of Protected Health Information

Information that could be used to individually identify a patient is termed Protected Health Information (PHI). Data is ''de-identified'' if eighteen specific identifiers are removed and the covered entity does not have actual knowledge that the information would be used to identify an individual. This is a cause for concern for pharmaceutical firms and infomediaries who collect such information. Many physicians are opposed to the practice adopted by some pharmaceutical companies, which obtain PHI from various sources and conduct targeted mailing campaigns to patients with specific reference to their disease condition. To ensure compliance, covered entities could obtain a report from a statistician stating that the risk of ''re-identification'' is minimal. The report is to be substantiated with documents that support the rationale behind such a conclusion. Henceforth suppliers of PHI to the pharmaceutical industry will have to de-identify the information before providing it.

Marketing

Drug marketers will be required to have written permission in advance from the patient, in order to use their data for direct marketing purposes. The need for written permission would apply to personally identifiable data obtained from Web sites and other sources. This would have an impact on drug companies engaged in focused marketing campaigns, based on patient demographic data.

Disease Management

The American Hospital Association (AHA), on behalf of its nearly 5,000 member hospitals, health systems and other care providers, expressed the following view in a letter to the Secretary of Health and Human Services: to use these tools for managing chronic conditions and preventing disease." "What providers often do for the purposes of health promotion and disease management could be described as marketing. The provider is reminding or educating the patient about a particular service that may be important for that individual''s unique situation. The individual patient''s information is essential for the caregiver to help them appropriately manage their condition. Appointment reminders for dentists, mammograms, or pediatric immunizations, and asthma management tools, at-home diabetes monitoring, and information on disease prevention sessions could all be considered marketing. It is critical that this regulation not create barriers for providers

However the lack of clarity on this subject is evident from the recent guidelines on Privacy Rule published by the Department of Health and Human Services, which states: "Whether these kinds of activities fall under the rule''s definition of ''marketing'' depends on the specifics of how the activity is conducted. The activities currently undertaken under these rubrics are diverse. Covered entities must examine the particular activities they undertake, and compare these to the activities that are exempt from the definition of ''marketing''."

Post-Marketing Surveillance

Post-marketing surveillance is intended to mean those activities related to determining the safety or effectiveness of a product after it has been approved and is in commercial distribution, as well as certain Phase IV (post-approval) commitments by pharmaceutical companies.

The HIPAA rule does not require patient authorization for disclosures related to certain post-marketing surveillance of drugs and medical devices. A covered entity may disclose PHI to a person subject to FDA jurisdiction (such as a pharmaceutical manufacturer) to report adverse events, product defects, or biological product deviations; to track products, if the person to whom the disclosure is made is required by the FDA to track the product; to conduct FDA-required post-marketing surveillance; and to facilitate product recalls.

If a pharmaceutical company seeks to create a registry containing protected health information about individuals, who have taken a drug that the pharmaceutical company had developed, covered entities may disclose protected health information without authorization to the pharmaceutical company pursuant to FDA requirements or direction. If the pharmaceutical company''s registry is not for any of these purposes, covered entities may disclose protected health information to it only with patient authorization, if required by law, or if disclosure meets the conditions of another provision of the rule.

Medical Research

Under the HIPAA rule, PHI generally may be disclosed for medical research purposes only on the basis of patient authorization, or waiver by an institutional review board or privacy board. Patient authorization is not required for disclosures of PHI to researchers who need the data to develop research protocols. However, to come within this exception to the authorization rule, such ''reviews preparatory to research'' require documentation from the researcher that: the disclosure is solely for the purpose of preparing a research protocol. A pharmaceutical company may ask a covered provider to recruit patients for drug research; if the covered provider asks patients to sign an authorization for the provider to disclose protected health information to the pharmaceutical company for this research, this is also an authorization requested by a covered entity for disclosure of protected health information maintained by the covered entity.

Business Associates

Disclosure of PHI for marketing purposes is limited to disclosure to business associates that undertake marketing activities on behalf of the covered entity. No other disclosure for marketing is permitted. Covered entities may not give away or sell lists of patients or enrollees without obtaining authorization from each person on the list. As with any disclosure to a business associate, the covered entity must obtain the business associate''s agreement to use the PHI only for the covered entity''s marketing activities. A covered entity may not give PHI to a business associate for the business associate''s own purposes. The Privacy Rule prohibits health plans and covered health care providers from giving PHI to third parties for the third party''s own business purposes, absent authorization from the individuals. This again complicates acquisition of data from the traditional providers of PHI to pharmaceutical industry.

In summary, HIPAA regulations could bring about sweeping changes in the traditional marketing strategies used by pharmaceutical companies. The impact of the regulations has to be considered while planning Internet-based strategies as well. At the same time complying with the regulations could boost the customer confidence in the industry. Moreover HIPAA would prepare the industry to fulfill the requirements for privacy directives, which are evolving in other countries.

About the author:

--- The author heads the Healthcare & Life Sciences Practice at vMoksha Technologies